Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels.
Good afternoon, as always, thanks for the collaboration and support.
A few doubts, We currently have an PA configured with ECMP, for outbound to the Internet, with two different ISPs. We plan to configure a Site to Site VPN, with each of the ISP.
Here are the doubts, so that you can give me your opinions and suggestions:
Doubt 1: Will I have any problem when I configure the two IPSEC tunnels, with the dual ISPs ( With ECMP previously enabled ), with the IKE/ESP type traffic ? will it generate any conflict or problem with the stability of each IPSEC Tunnel ? The PA will not have problems with this type of traffic, from its Interfaces, with their respective public IPs, with their respective ISPs and Peers?
Doubt 2: If I configure, already thinking and focused on the routes, with the tunnel interfaces that are used to declare the routes of each ISP, to reach the same destination, is it feasible to use ECMP for the tunnel interfaces ( tunnel.20 and tunnel.21 ) ? to send the traffic in a balanced way ?
Doubt 3: Thinking about a Dual Fail Over scenario, not balancing, but fail over, which is better? To use routes with Path Monitoring ( At route level, in the Virtual Router VR, not at HA level ) and so in case of failure the other route becomes valid in the FIB ? Or use PBF ? If I use PBF, I am forced that the Tunnels have IP in each end to be able to monitor the other peer, right? because for example, for the case of Path Monitoring, using an IP of the range and that this allowed in the encryption domain is enough for me to sense the IP at the level of Path Monitoring Route, but with PBF, I am forced that the other end also has an IP in its tunnel interface. What is the recommendation or the best way ?
I am not talking about Dual fail over type, that one responds and in case of failure, the other responds, but an ECMP type balancing for vpn ipsec site to site traffic. This is for Doubt 2.
Thank you very much for your time, I remain attentive to your comments.
Best regards
If the other side doesn't support ecmp or some sort of symmetric return, that side will very probably send traffic back over the same preferred tunnel and only use the other one as fallback You can account for asymmetry by setting both tunnel interfaces in the same zone that will "fix" session state across both tunnels you will have to account for lopsided throughput on the inbound (bandwidth balanced upload, single line download)
1. Yes no problem 2. You can only pair 1 set of ecmp interfaces per VR, if you want to balance over the tunnel interfaces, those will need to be put in their own VR 3. For pbf both tunnels will need a unique remote IP for pbf monitoring, but for ecmp both tunnels will also need a unique IP for tunnel monitoring since the tunnel needs to go down for ecmp to remove the interface as a routing option. I'd use loadbalancing if bandwidth is an issue, failover if one tunnel can carry all the traffic